openssl

No Image

News, published-external March 20, 2015

The mysterious OpenSSL vulnerability has been patched

No, it doesn’t have a name like Heartbleed or POODLE, it was “just” a denial-of-service. “Just” is by no means something to be ignored, but it is less dangerous with the previous vulnerabilities. All users of OpenSSL 1.0.2 should upgrade immediately to version 1.0.2a. In the advisory published on their website the OpenSSL vulnerability is called “ClientHello sigalgs DoS (CVE-2015-0291)”. If a client connects to an OpenSSL 1.0.2 server and renegotiates with an invalid signature algorithms extension, a NULL pointer dereference will occur. This can be exploited in a DoS attack against the server. According to OpenSSL’s Security Policy, a “high severity issue”  includes issues affecting common configurations which are also likely to be exploitable. Examples include a server DoS (like this one), a significant leak of server memory (Heartbleed), and remote code execution. OpenSSL promises that such issues “will be kept private and will trigger a new release of all supported versions”. They will attempt to keep the time these issues are private to a minimum, but the goal would be “no longer than a month” where this is something that can be controlled, and significantly quicker if there is a significant risk or we are aware the issue is…

No Image

published-external March 19, 2015

OpenSSL: Patch for secret “high severity” vulnerability

After Heartbleed, Poodle and FREAK which turned the IT world upside down, numerous companies have asked to have a though review of the most used SSL implementation in the world: OpenSSL. And indeed, in order to avoid being again in the news, the OpenSSL Foundation is set to release later this week several patches for OpenSSL, fixing undisclosed security vulnerabilities, including one that has been rated “high” severity. Matt Caswell of the OpenSSL Project Team announced that OpenSSL versions 1.0.2a, 1.0.1m, 1.0.0r, and 0.9.8zf will be released Thursday. “These releases will be made available on 19th March,” Caswell wrote. “They will fix a number of security defects. The highest severity defect fixed by these releases is classified as “high” severity.” OpenSSL has been hit hard and the trust in it and in open source in general has been severely shaken in the last 12 months. Last year in April, Heartbleed (CVE-2014-0160) was discovered in older versions of OpenSSL, but still highly used, which allowed hackers to read the sensitive contents of users’ encrypted data, such as financial transactions, instant messages and even steal SSL keys from Internet servers or client software that were running the affected versions of OpenSSL. Two…

No Image

General, News, security March 6, 2015

Security experts are FREAKing out again because of a new OpenSSL vulnerability

After Heartbleed, a new security vulnerability in SSL is making headlines and producing again headaches for security experts. As any good and mind blowing (for most people) vulnerability, it has a nice name – FREAK, a CVE number – CVE-2015-0204 and a dedicated website https://freakattack.com/ . FREAK – Factoring RSA Export Keys – affects around 36% of all sites trusted by browsers and around 10% of the Alexa top one million domains, according to computer scientists at the University of Michigan. This time, the vulnerability can allow hackers to perform a Man In The Middle(MITM) attack on traffic routed between a device that uses the affected version of OpenSSL and many websites, by downgrading the encryption to an easy to crack 512 bits (64KB). A connection is vulnerable if the server accepts RSA_EXPORT cipher suites and the client either offers an RSA_EXPORT suite or is using a version of OpenSSL that is vulnerable to CVE-2015-0204. To be affected, devices must use the vulnerable version of OpenSSL. The problem is that OpenSSL is embedded sometimes in the firmware of the device like those running Apple’s iOS, Google’s Android. This makes the patching anything else than trivial. IfApple and Google will hurry…

%d bloggers like this: